Impact
The vulnerability is an unauthenticated broken access control flaw in the AI Product Search for WooCommerce plugin (Motive Commerce Search) versions 1.38.2 and earlier. An attacker can exploit this weakness by sending crafted HTTP requests to the plugin’s administrative endpoints, bypassing authentication checks and retrieving or manipulating sensitive data. The flaw directly undermines the confidentiality and integrity of a WordPress site, potentially exposing product details, user information, or configuration settings that should be restricted to authorized administrators.
Affected Systems
Any WordPress installation that includes the Motive Commerce Search plugin version 1.38.2 or earlier is affected. The vulnerability is specific to this plugin and does not extend to other WooCommerce or WordPress components unless they are configured to expose the same functionality.
Risk and Exploitability
The CVSS score of 8.2 indicates a high severity. The EPSS score is below 1%, suggesting that while the vulnerability is serious, the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires no additional privileges; an unauthenticated attacker can craft requests to trigger the broken access control. The risk is primarily the potential unauthorized data disclosure or modification gained by exploiting the exposed endpoints.
OpenCVE Enrichment